Stored Cross-Site Scripting Vulnerability in Email JavaScript Cloak Plugin for WordPress
CVE-2026-10091

7.2HIGH

Key Information:

Vendor: WordPress
Status: Email Javascript Cloak
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-10091?

The Email JavaScript Cloak plugin for WordPress is susceptible to stored cross-site scripting due to inadequate input sanitization and output escaping on user-supplied attributes in its 'email' shortcode. Authenticated attackers with contributor-level access and above can exploit this vulnerability to inject arbitrary web scripts. This leads to potential malicious scripts executing in the user's browser when they access affected pages, posing a significant security risk.

Affected Version(s)

Email JavaScript Cloak 0 <= 1.03

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/email-javascri...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 29, 2026

Credit

Youcef Hamdani

CVE-2026-10091 Data

JSON